diff options
-rw-r--r-- | .github/workflows/build.yml | 6 | ||||
-rw-r--r-- | README.md | 13 | ||||
-rwxr-xr-x | configure | 26 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/profile-a-l/evolution.profile | 60 | ||||
-rw-r--r-- | etc/profile-a-l/kmail.profile | 81 | ||||
-rw-r--r-- | etc/profile-m-z/peek.profile | 24 | ||||
-rw-r--r-- | etc/profile-m-z/vlc.profile | 2 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 1 |
10 files changed, 180 insertions, 36 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5ee3d733d..56b38cb71 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -43,3 +43,9 @@ jobs: | |||
43 | run: sudo apt-get install cppcheck | 43 | run: sudo apt-get install cppcheck |
44 | - name: cppcheck | 44 | - name: cppcheck |
45 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | 45 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . |
46 | profile-sort: | ||
47 | runs-on: ubuntu-20.04 | ||
48 | steps: | ||
49 | - uses: actions/checkout@v2 | ||
50 | - name: check profiles | ||
51 | run: ./contrib/sort.py etc/*/{*.inc,*.net,*.profile} | ||
@@ -154,9 +154,9 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
154 | ````` | 154 | ````` |
155 | 155 | ||
156 | ````` | 156 | ````` |
157 | ## Latest released version: 0.9.62 | 157 | ## Latest released version: 0.9.64 |
158 | 158 | ||
159 | ## Current development version: 0.9.63 | 159 | ## Current development version: 0.9.65 |
160 | 160 | ||
161 | ### Profile Statistics | 161 | ### Profile Statistics |
162 | 162 | ||
@@ -191,12 +191,3 @@ Stats: | |||
191 | 191 | ||
192 | ### New profiles: | 192 | ### New profiles: |
193 | 193 | ||
194 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, | ||
195 | multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, | ||
196 | muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal, | ||
197 | gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer, | ||
198 | penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword, | ||
199 | four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars, | ||
200 | hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers, | ||
201 | seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication, xonotic-sdl-wrapper, openarena_ded, cawbird, freetube, homebank, mattermost-desktop, newsflash, com.gitlab.newsflash, element-desktop, sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx, minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar, vmware, git-cola, otter-browser, kazam, menulibre, musictube, onboard, fractal, mirage, quaternion, spectral, man, psi, smuxi-frontend-gnome, balsa, kube, trojita, cola, twitch, youtube, youtubemusic-nativefier, ytmdesktop, dbus-send, notify-send, qrencode, | ||
202 | xournalpp, chromium-freeworld, equalx | ||
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.64. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.65. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@protonmail.com>. | 5 | # Report bugs to <netblue30@protonmail.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.64' | 583 | PACKAGE_VERSION='0.9.65' |
584 | PACKAGE_STRING='firejail 0.9.64' | 584 | PACKAGE_STRING='firejail 0.9.65' |
585 | PACKAGE_BUGREPORT='netblue30@protonmail.com' | 585 | PACKAGE_BUGREPORT='netblue30@protonmail.com' |
586 | PACKAGE_URL='https://firejail.wordpress.com' | 586 | PACKAGE_URL='https://firejail.wordpress.com' |
587 | 587 | ||
@@ -1292,7 +1292,7 @@ if test "$ac_init_help" = "long"; then | |||
1292 | # Omit some internal or obsolete options to make the list less imposing. | 1292 | # Omit some internal or obsolete options to make the list less imposing. |
1293 | # This message is too long to be a string in the A/UX 3.1 sh. | 1293 | # This message is too long to be a string in the A/UX 3.1 sh. |
1294 | cat <<_ACEOF | 1294 | cat <<_ACEOF |
1295 | \`configure' configures firejail 0.9.64 to adapt to many kinds of systems. | 1295 | \`configure' configures firejail 0.9.65 to adapt to many kinds of systems. |
1296 | 1296 | ||
1297 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1297 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1298 | 1298 | ||
@@ -1354,7 +1354,7 @@ fi | |||
1354 | 1354 | ||
1355 | if test -n "$ac_init_help"; then | 1355 | if test -n "$ac_init_help"; then |
1356 | case $ac_init_help in | 1356 | case $ac_init_help in |
1357 | short | recursive ) echo "Configuration of firejail 0.9.64:";; | 1357 | short | recursive ) echo "Configuration of firejail 0.9.65:";; |
1358 | esac | 1358 | esac |
1359 | cat <<\_ACEOF | 1359 | cat <<\_ACEOF |
1360 | 1360 | ||
@@ -1470,7 +1470,7 @@ fi | |||
1470 | test -n "$ac_init_help" && exit $ac_status | 1470 | test -n "$ac_init_help" && exit $ac_status |
1471 | if $ac_init_version; then | 1471 | if $ac_init_version; then |
1472 | cat <<\_ACEOF | 1472 | cat <<\_ACEOF |
1473 | firejail configure 0.9.64 | 1473 | firejail configure 0.9.65 |
1474 | generated by GNU Autoconf 2.69 | 1474 | generated by GNU Autoconf 2.69 |
1475 | 1475 | ||
1476 | Copyright (C) 2012 Free Software Foundation, Inc. | 1476 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1772,7 +1772,7 @@ cat >config.log <<_ACEOF | |||
1772 | This file contains any messages produced by compilers while | 1772 | This file contains any messages produced by compilers while |
1773 | running configure, to aid debugging if configure makes a mistake. | 1773 | running configure, to aid debugging if configure makes a mistake. |
1774 | 1774 | ||
1775 | It was created by firejail $as_me 0.9.64, which was | 1775 | It was created by firejail $as_me 0.9.65, which was |
1776 | generated by GNU Autoconf 2.69. Invocation command line was | 1776 | generated by GNU Autoconf 2.69. Invocation command line was |
1777 | 1777 | ||
1778 | $ $0 $@ | 1778 | $ $0 $@ |
@@ -3417,8 +3417,8 @@ if test "x$enable_apparmor" = "xyes"; then : | |||
3417 | HAVE_APPARMOR="-DHAVE_APPARMOR" | 3417 | HAVE_APPARMOR="-DHAVE_APPARMOR" |
3418 | 3418 | ||
3419 | pkg_failed=no | 3419 | pkg_failed=no |
3420 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for AA" >&5 | 3420 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libapparmor" >&5 |
3421 | $as_echo_n "checking for AA... " >&6; } | 3421 | $as_echo_n "checking for libapparmor... " >&6; } |
3422 | 3422 | ||
3423 | if test -n "$AA_CFLAGS"; then | 3423 | if test -n "$AA_CFLAGS"; then |
3424 | pkg_cv_AA_CFLAGS="$AA_CFLAGS" | 3424 | pkg_cv_AA_CFLAGS="$AA_CFLAGS" |
@@ -3458,7 +3458,7 @@ fi | |||
3458 | 3458 | ||
3459 | 3459 | ||
3460 | if test $pkg_failed = yes; then | 3460 | if test $pkg_failed = yes; then |
3461 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | 3461 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 |
3462 | $as_echo "no" >&6; } | 3462 | $as_echo "no" >&6; } |
3463 | 3463 | ||
3464 | if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then | 3464 | if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then |
@@ -3485,7 +3485,7 @@ Alternatively, you may set the environment variables AA_CFLAGS | |||
3485 | and AA_LIBS to avoid the need to call pkg-config. | 3485 | and AA_LIBS to avoid the need to call pkg-config. |
3486 | See the pkg-config man page for more details." "$LINENO" 5 | 3486 | See the pkg-config man page for more details." "$LINENO" 5 |
3487 | elif test $pkg_failed = untried; then | 3487 | elif test $pkg_failed = untried; then |
3488 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | 3488 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 |
3489 | $as_echo "no" >&6; } | 3489 | $as_echo "no" >&6; } |
3490 | { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 | 3490 | { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 |
3491 | $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} | 3491 | $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} |
@@ -4801,7 +4801,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4801 | # report actual input values of CONFIG_FILES etc. instead of their | 4801 | # report actual input values of CONFIG_FILES etc. instead of their |
4802 | # values after options handling. | 4802 | # values after options handling. |
4803 | ac_log=" | 4803 | ac_log=" |
4804 | This file was extended by firejail $as_me 0.9.64, which was | 4804 | This file was extended by firejail $as_me 0.9.65, which was |
4805 | generated by GNU Autoconf 2.69. Invocation command line was | 4805 | generated by GNU Autoconf 2.69. Invocation command line was |
4806 | 4806 | ||
4807 | CONFIG_FILES = $CONFIG_FILES | 4807 | CONFIG_FILES = $CONFIG_FILES |
@@ -4855,7 +4855,7 @@ _ACEOF | |||
4855 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4855 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4856 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4856 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4857 | ac_cs_version="\\ | 4857 | ac_cs_version="\\ |
4858 | firejail config.status 0.9.64 | 4858 | firejail config.status 0.9.65 |
4859 | configured by $0, generated by GNU Autoconf 2.69, | 4859 | configured by $0, generated by GNU Autoconf 2.69, |
4860 | with options \\"\$ac_cs_config\\" | 4860 | with options \\"\$ac_cs_config\\" |
4861 | 4861 | ||
diff --git a/configure.ac b/configure.ac index 1f8770587..670a755b1 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -12,7 +12,7 @@ | |||
12 | # | 12 | # |
13 | 13 | ||
14 | AC_PREREQ([2.68]) | 14 | AC_PREREQ([2.68]) |
15 | AC_INIT(firejail, 0.9.64, netblue30@protonmail.com, , https://firejail.wordpress.com) | 15 | AC_INIT(firejail, 0.9.65, netblue30@protonmail.com, , https://firejail.wordpress.com) |
16 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 16 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
17 | 17 | ||
18 | AC_CONFIG_MACRO_DIR([m4]) | 18 | AC_CONFIG_MACRO_DIR([m4]) |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index cc4f81fa6..42d690c94 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -142,6 +142,7 @@ blacklist ${HOME}/.config/Wire | |||
142 | blacklist ${HOME}/.config/Youtube | 142 | blacklist ${HOME}/.config/Youtube |
143 | blacklist ${HOME}/.config/Zeal | 143 | blacklist ${HOME}/.config/Zeal |
144 | blacklist ${HOME}/.config/ZeGrapher Project | 144 | blacklist ${HOME}/.config/ZeGrapher Project |
145 | blacklist ${HOME}/.config/aacs | ||
145 | blacklist ${HOME}/.config/abiword | 146 | blacklist ${HOME}/.config/abiword |
146 | blacklist ${HOME}/.config/agenda | 147 | blacklist ${HOME}/.config/agenda |
147 | blacklist ${HOME}/.config/akonadi* | 148 | blacklist ${HOME}/.config/akonadi* |
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile index 422200ffe..1355c4337 100644 --- a/etc/profile-a-l/evolution.profile +++ b/etc/profile-a-l/evolution.profile | |||
@@ -6,15 +6,16 @@ include evolution.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist /var/mail | ||
10 | noblacklist /var/spool/mail | ||
11 | noblacklist ${HOME}/.bogofilter | 9 | noblacklist ${HOME}/.bogofilter |
10 | noblacklist ${HOME}/.gnupg | ||
11 | noblacklist ${HOME}/.mozilla | ||
12 | noblacklist ${HOME}/.pki | ||
12 | noblacklist ${HOME}/.cache/evolution | 13 | noblacklist ${HOME}/.cache/evolution |
13 | noblacklist ${HOME}/.config/evolution | 14 | noblacklist ${HOME}/.config/evolution |
14 | noblacklist ${HOME}/.gnupg | ||
15 | noblacklist ${HOME}/.local/share/evolution | 15 | noblacklist ${HOME}/.local/share/evolution |
16 | noblacklist ${HOME}/.pki | ||
17 | noblacklist ${HOME}/.local/share/pki | 16 | noblacklist ${HOME}/.local/share/pki |
17 | noblacklist /var/mail | ||
18 | noblacklist /var/spool/mail | ||
18 | 19 | ||
19 | include disable-common.inc | 20 | include disable-common.inc |
20 | include disable-devel.inc | 21 | include disable-devel.inc |
@@ -22,13 +23,42 @@ include disable-exec.inc | |||
22 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 25 | include disable-programs.inc |
26 | include disable-shell.inc | ||
27 | include disable-xdg.inc | ||
25 | 28 | ||
29 | mkdir ${HOME}/.bogofilter | ||
30 | mkdir ${HOME}/.gnupg | ||
31 | mkdir ${HOME}/.pki | ||
32 | mkdir ${HOME}/.cache/evolution | ||
33 | mkdir ${HOME}/.config/evolution | ||
34 | mkdir ${HOME}/.local/share/evolution | ||
35 | mkdir ${HOME}/.local/share/pki | ||
36 | whitelist ${HOME}/.bogofilter | ||
37 | whitelist ${HOME}/.gnupg | ||
38 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
39 | whitelist ${HOME}/.pki | ||
40 | whitelist ${HOME}/.cache/evolution | ||
41 | whitelist ${HOME}/.config/evolution | ||
42 | whitelist ${HOME}/.local/share/evolution | ||
43 | whitelist ${HOME}/.local/share/pki | ||
44 | whitelist ${DOCUMENTS} | ||
45 | whitelist ${DOWNLOADS} | ||
46 | whitelist ${RUNUSER}/gnupg | ||
47 | whitelist /usr/share/evolution | ||
48 | whitelist /usr/share/gnupg | ||
49 | whitelist /usr/share/gnupg2 | ||
50 | whitelist /var/mail | ||
51 | whitelist /var/spool/mail | ||
52 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | 53 | include whitelist-runuser-common.inc |
54 | include whitelist-usr-share-common.inc | ||
55 | include whitelist-var-common.inc | ||
27 | 56 | ||
57 | apparmor | ||
28 | caps.drop all | 58 | caps.drop all |
29 | netfilter | 59 | netfilter |
30 | # no3d breaks under wayland | 60 | # no3d breaks under wayland |
31 | #no3d | 61 | # no3d |
32 | nodvd | 62 | nodvd |
33 | nogroups | 63 | nogroups |
34 | nonewprivs | 64 | nonewprivs |
@@ -40,7 +70,27 @@ novideo | |||
40 | protocol unix,inet,inet6 | 70 | protocol unix,inet,inet6 |
41 | seccomp | 71 | seccomp |
42 | shell none | 72 | shell none |
73 | tracelog | ||
43 | 74 | ||
75 | # disable-mnt | ||
76 | # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg | ||
77 | # To use private-bin add all evolution,gpg,pinentry binaries and follow firefox.profile for hyperlink support | ||
78 | # private-bin evolution | ||
79 | private-cache | ||
44 | private-dev | 80 | private-dev |
81 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg | ||
45 | private-tmp | 82 | private-tmp |
83 | writable-run-user | ||
46 | writable-var | 84 | writable-var |
85 | |||
86 | dbus-user filter | ||
87 | dbus-user.own org.gnome.Evolution | ||
88 | dbus-user.talk ca.desrt.dconf | ||
89 | # Uncomment to have keyring access | ||
90 | # dbus-user.talk org.freedesktop.secrets | ||
91 | dbus-user.talk org.gnome.keyring.SystemPrompter | ||
92 | dbus-user.talk org.gnome.OnlineAccounts | ||
93 | dbus-user.talk org.freedesktop.Notifications | ||
94 | dbus-system none | ||
95 | |||
96 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile index ab4ff10b9..43060dd61 100644 --- a/etc/profile-a-l/kmail.profile +++ b/etc/profile-a-l/kmail.profile | |||
@@ -9,6 +9,10 @@ include globals.local | |||
9 | # kmail has problems launching akonadi in debian and ubuntu. | 9 | # kmail has problems launching akonadi in debian and ubuntu. |
10 | # one solution is to have akonadi already running when kmail is started | 10 | # one solution is to have akonadi already running when kmail is started |
11 | 11 | ||
12 | noblacklist ${HOME}/.gnupg | ||
13 | # noblacklist ${HOME}/.kde/ | ||
14 | # noblacklist ${HOME}/.kde4/ | ||
15 | noblacklist ${HOME}/.mozilla | ||
12 | noblacklist ${HOME}/.cache/akonadi* | 16 | noblacklist ${HOME}/.cache/akonadi* |
13 | noblacklist ${HOME}/.cache/kmail2 | 17 | noblacklist ${HOME}/.cache/kmail2 |
14 | noblacklist ${HOME}/.config/akonadi* | 18 | noblacklist ${HOME}/.config/akonadi* |
@@ -19,7 +23,6 @@ noblacklist ${HOME}/.config/kmail2rc | |||
19 | noblacklist ${HOME}/.config/kmailsearchindexingrc | 23 | noblacklist ${HOME}/.config/kmailsearchindexingrc |
20 | noblacklist ${HOME}/.config/mailtransports | 24 | noblacklist ${HOME}/.config/mailtransports |
21 | noblacklist ${HOME}/.config/specialmailcollectionsrc | 25 | noblacklist ${HOME}/.config/specialmailcollectionsrc |
22 | noblacklist ${HOME}/.gnupg | ||
23 | noblacklist ${HOME}/.local/share/akonadi* | 26 | noblacklist ${HOME}/.local/share/akonadi* |
24 | noblacklist ${HOME}/.local/share/apps/korganizer | 27 | noblacklist ${HOME}/.local/share/apps/korganizer |
25 | noblacklist ${HOME}/.local/share/contacts | 28 | noblacklist ${HOME}/.local/share/contacts |
@@ -30,6 +33,8 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail2 | |||
30 | noblacklist ${HOME}/.local/share/local-mail | 33 | noblacklist ${HOME}/.local/share/local-mail |
31 | noblacklist ${HOME}/.local/share/notes | 34 | noblacklist ${HOME}/.local/share/notes |
32 | noblacklist /tmp/akonadi-* | 35 | noblacklist /tmp/akonadi-* |
36 | noblacklist /var/mail | ||
37 | noblacklist /var/spool/mail | ||
33 | 38 | ||
34 | include disable-common.inc | 39 | include disable-common.inc |
35 | include disable-devel.inc | 40 | include disable-devel.inc |
@@ -37,10 +42,73 @@ include disable-exec.inc | |||
37 | include disable-interpreters.inc | 42 | include disable-interpreters.inc |
38 | include disable-passwdmgr.inc | 43 | include disable-passwdmgr.inc |
39 | include disable-programs.inc | 44 | include disable-programs.inc |
45 | include disable-xdg.inc | ||
40 | 46 | ||
47 | mkdir ${HOME}/.gnupg | ||
48 | # mkdir ${HOME}/.kde/ | ||
49 | # mkdir ${HOME}/.kde4/ | ||
50 | mkdir ${HOME}/.cache/akonadi* | ||
51 | mkdir ${HOME}/.cache/kmail2 | ||
52 | mkdir ${HOME}/.config/akonadi* | ||
53 | mkdir ${HOME}/.config/baloorc | ||
54 | mkdir ${HOME}/.config/emaildefaults | ||
55 | mkdir ${HOME}/.config/emailidentities | ||
56 | mkdir ${HOME}/.config/kmail2rc | ||
57 | mkdir ${HOME}/.config/kmailsearchindexingrc | ||
58 | mkdir ${HOME}/.config/mailtransports | ||
59 | mkdir ${HOME}/.config/specialmailcollectionsrc | ||
60 | mkdir ${HOME}/.local/share/akonadi* | ||
61 | mkdir ${HOME}/.local/share/apps/korganizer | ||
62 | mkdir ${HOME}/.local/share/contacts | ||
63 | mkdir ${HOME}/.local/share/emailidentities | ||
64 | mkdir ${HOME}/.local/share/kmail2 | ||
65 | mkdir ${HOME}/.local/share/kxmlgui5/kmail | ||
66 | mkdir ${HOME}/.local/share/kxmlgui5/kmail2 | ||
67 | mkdir ${HOME}/.local/share/local-mail | ||
68 | mkdir ${HOME}/.local/share/notes | ||
69 | mkdir /tmp/akonadi-* | ||
70 | whitelist ${HOME}/.gnupg | ||
71 | # whitelist ${HOME}/.kde/ | ||
72 | # whitelist ${HOME}/.kde4/ | ||
73 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
74 | whitelist ${HOME}/.cache/akonadi* | ||
75 | whitelist ${HOME}/.cache/kmail2 | ||
76 | whitelist ${HOME}/.config/akonadi* | ||
77 | whitelist ${HOME}/.config/baloorc | ||
78 | whitelist ${HOME}/.config/emaildefaults | ||
79 | whitelist ${HOME}/.config/emailidentities | ||
80 | whitelist ${HOME}/.config/kmail2rc | ||
81 | whitelist ${HOME}/.config/kmailsearchindexingrc | ||
82 | whitelist ${HOME}/.config/mailtransports | ||
83 | whitelist ${HOME}/.config/specialmailcollectionsrc | ||
84 | whitelist ${HOME}/.local/share/akonadi* | ||
85 | whitelist ${HOME}/.local/share/apps/korganizer | ||
86 | whitelist ${HOME}/.local/share/contacts | ||
87 | whitelist ${HOME}/.local/share/emailidentities | ||
88 | whitelist ${HOME}/.local/share/kmail2 | ||
89 | whitelist ${HOME}/.local/share/kxmlgui5/kmail | ||
90 | whitelist ${HOME}/.local/share/kxmlgui5/kmail2 | ||
91 | whitelist ${HOME}/.local/share/local-mail | ||
92 | whitelist ${HOME}/.local/share/notes | ||
93 | whitelist ${DOWNLOADS} | ||
94 | whitelist ${DOCUMENTS} | ||
95 | whitelist ${RUNUSER}/gnupg | ||
96 | whitelist /tmp/akonadi-* | ||
97 | whitelist /usr/share/akonadi | ||
98 | whitelist /usr/share/gnupg | ||
99 | whitelist /usr/share/gnupg2 | ||
100 | whitelist /usr/share/kconf_update | ||
101 | whitelist /usr/share/kf5 | ||
102 | whitelist /usr/share/kservices5 | ||
103 | whitelist /usr/share/qlogging-categories5 | ||
104 | whitelist /var/mail | ||
105 | whitelist /var/spool/mail | ||
106 | include whitelist-common.inc | ||
107 | include whitelist-runnuser-common.inc | ||
108 | include whitelist-usr-share-common.inc | ||
41 | include whitelist-var-common.inc | 109 | include whitelist-var-common.inc |
42 | 110 | ||
43 | # apparmor | 111 | apparmor |
44 | caps.drop all | 112 | caps.drop all |
45 | netfilter | 113 | netfilter |
46 | nodvd | 114 | nodvd |
@@ -56,7 +124,14 @@ protocol unix,inet,inet6,netlink | |||
56 | seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set | 124 | seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set |
57 | # tracelog | 125 | # tracelog |
58 | 126 | ||
127 | private-cache | ||
59 | private-dev | 128 | private-dev |
129 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg | ||
60 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments | 130 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments |
61 | # writable-run-user is needed for signing and encrypting emails | ||
62 | writable-run-user | 131 | writable-run-user |
132 | writable-var | ||
133 | |||
134 | # dbus-user none | ||
135 | dbus-system none | ||
136 | |||
137 | read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file | ||
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile index 66fdd6496..28a7da404 100644 --- a/etc/profile-m-z/peek.profile +++ b/etc/profile-m-z/peek.profile | |||
@@ -17,7 +17,18 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | #mkdir ${HOME}/.cache/peek | ||
21 | #whitelist ${HOME}/.cache/peek | ||
22 | #whitelist ${PICTURES} | ||
23 | #whitelist ${VIDEOS} | ||
24 | #include whitelist-common.inc | ||
25 | include whitelist-runuser-common.inc | ||
26 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | apparmor | ||
20 | caps.drop all | 30 | caps.drop all |
31 | machine-id | ||
21 | net none | 32 | net none |
22 | no3d | 33 | no3d |
23 | nodvd | 34 | nodvd |
@@ -31,13 +42,20 @@ novideo | |||
31 | protocol unix | 42 | protocol unix |
32 | seccomp | 43 | seccomp |
33 | shell none | 44 | shell none |
45 | tracelog | ||
34 | 46 | ||
35 | # private-bin breaks gif mode, mp4 and webm mode work fine however | 47 | disable-mnt |
36 | # private-bin convert,ffmpeg,peek | 48 | private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh |
37 | private-dev | 49 | private-dev |
50 | private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11 | ||
38 | private-tmp | 51 | private-tmp |
39 | 52 | ||
40 | dbus-user none | 53 | dbus-user filter |
54 | dbus-user.own com.uploadedlobster.peek | ||
55 | dbus-user.talk ca.desrt.dconf | ||
56 | dbus-user.talk org.freedesktop.FileManager1 | ||
57 | dbus-user.talk org.freedesktop.Notifications | ||
58 | dbus-user.talk org.gnome.Shell.Screencast | ||
41 | dbus-system none | 59 | dbus-system none |
42 | 60 | ||
43 | memory-deny-write-execute | 61 | memory-deny-write-execute |
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile index 9e84623f4..fc8efe089 100644 --- a/etc/profile-m-z/vlc.profile +++ b/etc/profile-m-z/vlc.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/vlc | 9 | noblacklist ${HOME}/.cache/vlc |
10 | noblacklist ${HOME}/.config/vlc | 10 | noblacklist ${HOME}/.config/vlc |
11 | noblacklist ${HOME}/.config/aacs | ||
11 | noblacklist ${HOME}/.local/share/vlc | 12 | noblacklist ${HOME}/.local/share/vlc |
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
@@ -23,6 +24,7 @@ mkdir ${HOME}/.config/vlc | |||
23 | mkdir ${HOME}/.local/share/vlc | 24 | mkdir ${HOME}/.local/share/vlc |
24 | whitelist ${HOME}/.cache/vlc | 25 | whitelist ${HOME}/.cache/vlc |
25 | whitelist ${HOME}/.config/vlc | 26 | whitelist ${HOME}/.config/vlc |
27 | whitelist ${HOME}/.config/aacs | ||
26 | whitelist ${HOME}/.local/share/vlc | 28 | whitelist ${HOME}/.local/share/vlc |
27 | include whitelist-common.inc | 29 | include whitelist-common.inc |
28 | include whitelist-players.inc | 30 | include whitelist-players.inc |
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index d16aa2ee9..906d86484 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -307,6 +307,7 @@ gnome-recipes | |||
307 | gnome-robots | 307 | gnome-robots |
308 | gnome-schedule | 308 | gnome-schedule |
309 | gnome-screenshot | 309 | gnome-screenshot |
310 | gnome-sound-recorder | ||
310 | gnome-sudoku | 311 | gnome-sudoku |
311 | gnome-system-log | 312 | gnome-system-log |
312 | gnome-taquin | 313 | gnome-taquin |